Written by David Garwood, Head of Operations, Riverbank IT Management
Cyber-crime and security breaches can happen to any organisation, regardless of size, sector or technology used.
You can reduce the risk through effective security configuration and policy – password policies, firewall, antivirus, spam filtering, and anti-ransomware are the bare minimum, technically – but you need to have a robust and tested plan that can be quickly implemented should the worst happen.
An organisation with no plan will lose time and work unproductively; increasing the time to get back to business as usual.
The things you need to do in response to falling victim of cyber-crime can be broken down into two time periods – immediate and short-to-medium term.
The immediate priority must be to stop the spread of the breach, then identify and neutralise the cause.
At its most basic level, this could involve shutting down servers, desktops, laptops and other hardware. In addition, you need to identify how the breach occurred and lock down that avenue of entry. You may need to turn off your firewall or internet router to stop further incursions. If you have the skills within your organisation, you may be able to do this yourself, but if not, this is the point where should engage with a third-party IT provider to guide you.
On the face of it, these actions can seem damaging to your business: it will stop your staff from working and your customers from doing business with you. Invariably, there will be a reputational impact if you suffer a cyber-crime security breach.
However, a short-term hit on system availability will be nothing compared to the damage your business will face should you do nothing – expect longer recovery times, greater loss in sales, lengthier non-productivity periods, and a higher risk of further data loss.
Once you have controlled the breach, you can step back, assess the situation, and forge ahead with your recovery plan. This falls into two broad categories:
- Change your firewall rules to block the entry route of the breach. For example, rather than having a firewall port open for all traffic from all sources, consider opening the port only for traffic from a specific source.
- Run a full scan on all hardware (not just the ones you know are affected) using antivirus and anti-malware applications. This will identify and clean your systems.
- Restore encrypted/lost data from backup.
- Do not reconnect to the internet until you are sure that all of the entry points have been closed and your internal network is now clean.
Communication / Public Relations
- Contact your customers to explain the situation and that there may be delays with responses, orders, etc. Reassure them that you are in control of the situation.
- Contact your suppliers to discuss the incident with them. They will still be expecting to receive payments. If you are unable to pay them due to your finance system being compromised, you need to make alternative arrangements.
- Create a statement that could either be released or used when you are contacted. Brief your staff what to say (and, more importantly, what not to say), or get them to refer any contact to a nominated spokesperson. If confused, mixed, or wrong messages are released, there is considerable scope for further reputational damage. If you are not confident with this, hiring a PR consultant may be the best option – they will also be able to advise on containment of reputational damage.
- Amend your website homepage (or online ordering systems) with information for people who try to contact your company.
- Identify any data that may have been lost or stolen. You will need to report it to the Data Protection Office if the data falls under the Data Protection Act. If a criminal offence has occurred the police will need to be involved.
- Engage with a solicitor if any customer data has been lost.
- Continue to keep all stakeholders informed throughout the process.
Short to medium-term
The immediate response gets you out of the initial danger and gets your business back up and running. However, this is not the time to relax – you need to review what happened, why it happened, and how you can stop it happening again.
Some things to consider as part of a full review of the incident:
- Review your IT security policy. Are your passwords sufficiently complex? Do they need to be changed regularly? Are people sharing passwords or accounts?
- Is your hardware up to the job of meeting your security requirements? Newer hardware allows you to be much more granular in what you block or allow, and for whom. There are also functions such as Intrusion Detection and Prevention which will help you spot incursions earlier or stop them altogether.
- Is your antivirus and anti-spam software good enough? Do you need to add additional layers, like ransomware detection?
- Consider running both an internal and external penetration test on your network to identify other areas of weakness that you are unaware of. Look for a CREST approved penetration tester.
- Look at your systems and processes to identify other gaps or weaknesses. Examples here could include financial controls so you cannot fall victim to a phishing email, or introducing multi-factor authentication to stop someone successfully using a stolen password.
- Investigate whether cyber-crime insurance would be suitable for your business.
- Carry out reviews of your entire security setup at least annually to ensure they are still appropriate and update them as required.
Education, Education, Education
One thing that is often overlooked, but is one of your key methods for preventing a security breach happening again, is education – a huge amount of cyber-crime is caused by people! Most of the time it isn’t done maliciously, however, a lack of knowledge around how people should behave when online or when using business systems can be incredibly dangerous. Steps you can take include:
- Educating your board so the Directors understand the threats and the potential business effect and reputational impact of cyber-crime. Once educated they will be more willing to dedicate time and additional budget to IT security.
- Create an organisational security policy detailing what is expected of staff. Get all staff to sign that they accept and will abide by the policy or face disciplinary action. Make sure this is then monitored and enforced.
- Carry out a staff training programme to increase awareness of cyber-crime and how it can be prevented. Ensure that all staff attend this training and that it is repeated
- Involve staff in testing the recovery plan so everyone is aware of their roles and responsibilities. Carry out this test at least once a year. Document the results and take appropriate action.
Whilst there is no denying that dealing with cyber-crime is both business-damaging and incredibly stressful for all involved, it does not have to spell the end of your business. Planning is key to ensuring that you are able to recover quickly and effectively, can continue within the shortest possible time, and will suffer the least amount of reputational damage.
David Garwood is Head of Operations at Riverbank IT Management, with over 15 years’ experience in IT Service Delivery – both managed service providers and internal IT departments. His primary focus is on improving the quality of service delivered through the use of well-defined processes, and by developing high quality technical and customer focused teams.
If you have concerns about leaving your business open to the unexpected try our free Online Security Test. If you want to get in touch with our experts at Riverbank email firstname.lastname@example.org or call 01235 426700.